For a while now we have had IWAN NetFlow support built into our network incident response system, which collects and reports on NetFlow, IPFIX, sFlow, and all other flow derivatives.  IWAN stands for Intelligent WAN and promises intelligent path control, application optimization, and secure connectivity to the Internet and branch locations while reducing the operating cost of the WAN.

Performance Routing v3 (PFRv3) is a key component of IWAN and represented in the flow exports coming from IWAN supporting hardware. OER, PFR, and IWAN all refer to the same technology; IWAN is just the newest rebranding effort. These deployments are typically in large enterprises rather than SMBs.

Why should you care about IWAN? To start, if your business has multiple branch offices connected to an MPLS WAN, the cost of bandwidth can be quite expensive. What IWAN allows you to do is purchase bandwidth from commercial ISP (think DSL, Cable, and 4G) and dynamically treat these Internet connections as WAN connections. Since the cost of these business-class Internet connections is fairly low, say $100 for 100Mbps per month, the costs savings across your branch offices can be significant, especially when compared to increasing the total bandwidth at the corporate hub.

In addition to the cost savings at the branch office, you also receive much better branch network performance and better performance to cloud applications from the remote sites, too. This is due in part because Internet traffic that doesn’t require a direct connection from the corporate hub can be done over the branch offices Internet connection. Say you have a cloud application running on an Amazon EC2 server. The branch office can connect directly to the application without going through the corporate MPLS, but the traffic can still be monitored and directed as though it had gone through corporate.

There are a number of technologies that Cisco uses to provide these benefits. One of the technologies used in IWAN is based on VPN; it’s called Dynamic Multipoint VPN (DMVPN). What this does is create encrypted tunnels from each of the Internet connections at the branch offices back to the hub. For each connection you have at your office, e.g. DSL, cable, and 4G, you create a VPN tunnel.

dual dmvpn cloud topology

Another technology is performance routing (PFR). PFR is a technology that ensures priority applications receive the bandwidth and response times needed to support the business.  In a congested network traffic environment, PFR will consider class maps and priority queuing to reroute time sensitive applications to ensure that the ideal end user experience is not interrupted.

Say your DSL isn’t functioning well at one location for a period of time; it will turn that connection off. Or, if you’re getting more bandwidth out of one system, i.e. router, it will prioritize sending the information through that system. Using Cisco IWAN also increases reliability. Imagine if your MPLS goes down, or another connection goes down. The remaining paths stay up. Along these lines, you can have two routers at each branch and the central hub, creating a network with no single point of failure.

How, though, do you determine the effectiveness of the DMVPN connections? Well, you use NetFlow, of course, along with IP SLA. NetFlow can be used for passive and IP SLA for active throughput.

performance-routing-latency-by-interface

 

By leveraging IWAN NetFlow support, you can determine if your PFR configuration is optimal, or if you need to change class maps and priority queuing to provide better path options for your network traffic.

If you need assistance determining the effectiveness of your DMVPN connections, give us a call. We’ll show you how you can take full advantage of DMVPN and IWAN.

Justin

Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.

Related